'Black cloud' of the NSA 'looms over' international encryption

Encryption project will proceed, but some delegates see it as incompatible with aims of government agencies

Suspicion towards the U.S. National Security Agency (NSA) is holding back cooperation in the vital area of encryption, experts told WikiTribune, after an NSA plan to increase global encryption standardization for the “internet of things” was rejected by a leading body.

The NSA has a track record (Atlas Obscura) of trying to install vulnerabilities, or backdoors, into security tools, including forms of encryption. This dispute over the Simon and Speck algorithms – which would have been included in household objects such as smart speakers, fridges, lighting and heating systems – showed the agency still lacks the trust of many countries, including U.S. allies.

In response to inquiries from WikiTribune, NSA Capabilities Technical Director Neal Ziring said: “Both Simon and Speck were subjected to several years of detailed cryptanalytic analysis within NSA, and have been subject to academic analysis by researchers worldwide since 2014. They are good block ciphers with solid security and excellent power and space characteristics.” (See full response below.)

In cybersecurity, the rules are different

“In the cyberspace, alliances are quite different than in the conventional strategic spaces,” said Dr. Nicolas Mazzucchi, from the Foundation for Strategic Research in Paris.

“In traditional military, having an alliance is, above all, sharing the strengths. In the cyberspace, on the contrary, alliances are made upon the sharing of vulnerabilities,” said Mazzucchi, explaining that allied agencies test each other’s vulnerabilities and share solutions. They even sometimes test the strengths of their allies’ security, on the basis of mutual trust, and the understanding that one ally’s weakness makes them all potentially vulnerable.

Leaks from whistleblower Edward Snowden, including the allegation that the NSA tapped the phones (Guardian) of 35 world leaders including German Chancellor Angela Merkel and then-French President Francois Hollande, undermined the good faith on which this relationship was built, said Mazzucchi.

“Their distrust over the NSA-run ISO program could be regarded as a will to explore other ways to achieve a satisfying level of cybersecurity, avoiding [the risk of] communications [being] systematically intercepted by the U.S. intelligence agencies,” said Mazzucchi.

The NSA still lives under a cloud of its own making

“If those designs were not coming from NSA, they would not have received the attention they did,” Stefan Kölbl, who advised the Danish delegation to the ISO, told WikiTribune.

This suspicion is not entirely down to Snowden, he added. “There has been a long history of conflicts between the widespread application of strong cryptography and NSA, but it definitely brought the issue to a broader audience and also revealed the full scope to us on the effort being carried out to subvert secure systems,” said Kölbl.

Dr. Tomer Ashur of KU Leuven University in Belgium was the most ardent opponent of the plan, according to several people WikiTribune contacted who were at the meeting.

“Of course the NSA’s history was looming over us like a black cloud, but I don’t think this was a prime factor [in closing the program],” Ashur told WikiTribune.

“Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”

Specific requests for more detailed information were met with obfuscation, said Ashur.

“I can’t speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.

ISO encryption program will move forward, without the NSA

Standardizing encryption for the internet of things is perfectly achievable, said Kölbl, but the dispute with the NSA has convinced many developers that their mission might not be compatible with the aims of government intelligence agencies.

“In general it is healthy to be very careful with cryptographic algorithms coming out of any intelligence agency, as there is often some sort of conflict of interests,” said Kölbl. “One group inside such an organization might have a general interest in providing strong cryptographic algorithms, however other parts will also have the goal to insert vulnerabilities into commercial encryption systems.”

“I think in the end this whole controversy will be beneficial to the standardization process at ISO,” he said. “It showed that we need to have clearer rules stated which enforce transparency from the designers of a cryptographic algorithm before we consider them for standardization and there has been a lot of discussion going on, on how to improve this process.”

The proposal to adopt Simon and Speck was only an amendment to existing standards, said Ashur, meaning there are ISO-approved standards for this type of encryption. The U.S. National Institute of Standards and Technology, which also contributed to the U.S. delegation, has made further recommendations for types of algorithms that Ashur said he expects the academics at the ISO to be more open to.

Image information

We have no ads and no paywall. If you believe in collaboration to produce quality neutral journalism for everyone, it is important that you sign up to support our work financially. Every penny goes towards improving WikiTribune! Thanks, Jimmy Wales

“Both Simon and Speck were subjected to several years of detailed cryptanalytic analysis within NSA, and have been subject to academic analysis by researchers worldwide since 2014. They are good block ciphers with solid security and excellent power and space characteristics.”

“NSA devotes our decades of cryptologic experience towards breaking codes for foreign intelligence and making codes to secure U.S. National Security Systems (NSS) – offering strong algorithms for consideration as international standards is often the best way to ensure that such algorithms are implemented in products on which national security depends. That was the basis for submitting Simon and Speck to ISO.”

WikiTribuneWikiTribuneOpen menuCloseSearchLikeBackNextOpen menuClose menuPlay videoRSS FeedShare on FacebookShare on TwitterShare on RedditFollow us on InstagramFollow us on YoutubeConnect with us on LinkedinConnect with us on DiscordEmail us